An online attack that forced Facebook to log out 90 million users last month directly affected 29 million people on the social network, the company said on Friday as it released new details about the scope of an incident that has regulators and law enforcement on high alert.
Through a series of interrelated bugs in Facebookโs programming, unnamed attackers stole the names and contact information of 15 million users, Facebook said. The contact information included a mix of phone numbers and email addresses.
An additional 14 million users were affected more deeply, having additional details taken related to their profiles, such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow.
Facebook said last month that it detected the attack when it noticed an uptick in user activity. An investigation soon found that the activity was linked to the theft of security codes that, under normal circumstances, allow Facebook users to navigate away from the site while remaining logged in.
The bugs that allowed the attack to occur gave hackers the ability to effectively take over Facebook accounts on a widespread basis, the company said when it disclosed the breach.
The 29 million affected users, along with 1 million whose security tokens were taken but did not appear to have their data stolen, will be receiving customized messages from Facebook identifying specifically which types of information on their profiles, if any, were involved in the breach. Facebook executives told reporters on Friday that the company will also try to reach affected users who have since deleted their Facebook profiles.